Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

PAM Enabled Linux Endpoint

mgra
New Contributor III
New Contributor III

 

Hello,

We are trying to Enable the PAM feature for a specific Linux Instance. However, when we run the PAM bootstrap job, it didn't turn ON the PAM. Now it's throwing an error when we try to modify the Configuration on the PAM Attributes tab of the endpoint. 

graceandrade_0-1673827424860.png

Below is the PAM bootstrap configuration.

    "Connection": "AWS",
    "maxRequestTime": "36000",
    "encryptionMechanism": "ENCRYPTED",
    "EVQuery": "ev.customproperty40='PAM_Bootstrap'",
    "UNIX": {
      "defaultCredentialConnection": {
        "connectionName": "MASTER-UNIX-CONNECTION",
        "changeConnectionCredentials": true
      },
      "defaultSecuritySystemDetails": {
        "securitySystemName": "new",
        "workflow": "PAMAutoApprovalWF",
        "passwordPolicy": "Test_PAM_policy"
      },
      "actions": {
        "restricted": "yum,sudo,visudo,apt,install,iptables,rm,mkfs,alias,ssh,telnet,scp,kill,shutdown,passwd,cron,traceroute",
        "risky": {
          "high": "file,wget,scp,curl,df,chmod,chown,echo,exit,uname,netstat",
          "medium": "cat,vi,touch,find,history,awk,grep"
        }
      },
      "shareableAccounts": {
        "IDQueryCredentialless": "acc.name in ('savtestuser')",
        "IDQueryCredentials": "acc.name in ('')"
      },
      "maxCredSessionRequestTime": "10800",
      "maxCredlessSessionRequestTime": "10800",
      "maxIDRequestableTime": "10800",
      "skipOpenPorts": "false",
      "skipPushKeys": "false",
      "reconciledAccountAction": "NONE",
      "endpointAttributeMappings": [
        {
          "column": "accessquery",
          "value": "where users.USERNAME is not null",
          "feature": "endpointAccessQuery"
        },
        {
          "column": "allowChangePassword_sqlquery",
          "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
          "feature": "allowChangepasswordquery"
        },
        {
          "column": "customproperty43",
          "value": "PAMDefaultUserAccountAccessControl",
          "feature": "accountVisibilityControl"
        }
      ],
      "endpointPamConfig": {
        "maxConcurrentSession": "50"
      },
      "accountVisibilityConfig": {
        "accountCustomProperty": "customproperty55",
        "accountMappingConfig": [
          {
            "accountPattern": "savtestuser",
            "mappingData": "PAMtest",
            "override": "false"
          }
        ]
      }
    }
  }
7 REPLIES 7

Saathvik
All-Star
All-Star

Did you find any errors in PAMMS logs? When you ran bootstrap job can you please capture the pamms logs to see why it is failing to enable PAM?

Also to enable PAM on this endpoint what job you ran?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

mgra
New Contributor III
New Contributor III

I ran the bootstrap job but these are the only logs I got.

graceandrade_0-1674000549875.png

 

 

I mean you can run bootstrap job in two ways. 

1. Job Type as Application Data Import(Single Threaded) and select Import Type as pambootstrap

2. Job Type as Microservices and configure bootstrap API

So trying to understand which method you have used based on that I thought of suggesting the right logs to looks for.

If you use first method then I would suggest to look for ecm-worker logs as well.

Based on the logs you shared I don't see any bootstrap call coming to PAMMS.

I would suggest to look for ECM-WORKER logs as well.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

@mgra Were you able to Bootstrap the linux endpoint? Post bootstrap, are you able to see the accounts under the endpoint? If not, try clicking on "save and test" on the corresponding linux connection to make sure the connection works. 

mgra
New Contributor III
New Contributor III

Yes, we have enabled the PAM. As per discussion with Saviynt Support, there’s an issue in the 2021 version where the pamms pod gets broken after the rabbitmq pod is restarted. This creates issues with all bootstrap scenarios. 

Resolution: Explicit restart of the pamms pod to re-establish the listener functionality or upgrade the  instance to Saviynt Version 2022

Yeah true there is a know issue in bootstrap process some time it loses connection with rabbitmq. And there is a JIRA already opened with Engineering team to resolve this issue.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Hi,

I have the same error on version23.1. please can you bit elaborate on the approach you have taken - like did you create a master Unix connection and On-premise connection separately ? what I have seen is master unix template does not have PAM_Config parameters in it so a separate on-premise connection has to be created for bootstrapping the Linux accounts. I have explained the detailed steps I have done here -[CPAM] Issue with PAM bootstrapping the on-prem Li... - Saviynt Forums - 33957